========================================================================== Ubuntu Security Notice USN-3479-1 November 14, 2017 postgresql-9.3, postgresql-9.5, postgresql-9.6 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 17.10 - Ubuntu 17.04 - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in PostgreSQL. Software Description: - postgresql-9.6: Object-relational SQL database - postgresql-9.5: Object-relational SQL database - postgresql-9.3: Object-relational SQL database Details: David Rowley discovered that PostgreSQL incorrectly handled memory when processing certain JSON functions. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2017-15098) Dean Rasheed discovered that PostgreSQL incorrectly enforced SELECT privileges when processing INSERT ... ON CONFLICT DO UPDATE commands. A remote attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 16.04 LTS, Ubuntu 17.04 and Ubuntu 17.10. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 17.10: postgresql-9.6 9.6.6-0ubuntu0.17.10 Ubuntu 17.04: postgresql-9.6 9.6.6-0ubuntu0.17.04 Ubuntu 16.04 LTS: postgresql-9.5 9.5.10-0ubuntu0.16.04 Ubuntu 14.04 LTS: postgresql-9.3 9.3.20-0ubuntu0.14.04 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart PostgreSQL to make all the necessary changes. References: https://www.ubuntu.com/usn/usn-3479-1 CVE-2017-15098, CVE-2017-15099 Package Information: https://launchpad.net/ubuntu/+source/postgresql-9.6/9.6.6-0ubuntu0.17.10 https://launchpad.net/ubuntu/+source/postgresql-9.6/9.6.6-0ubuntu0.17.04 https://launchpad.net/ubuntu/+source/postgresql-9.5/9.5.10-0ubuntu0.16.04 https://launchpad.net/ubuntu/+source/postgresql-9.3/9.3.20-0ubuntu0.14.04